diff --git a/modules/config/krb5.nix b/modules/config/krb5.nix index 6543bbafc7d..7ff0b498562 100644 --- a/modules/config/krb5.nix +++ b/modules/config/krb5.nix @@ -6,8 +6,6 @@ let cfg = config.krb5; - #myPkgs = import /home/nixer/nix/my-expr.nix { system = "x86_64-linux"; }; - options = { krb5 = { @@ -21,6 +19,11 @@ let description = "Default realm."; }; + domainRealm = mkOption { + default = "atena.mit.edu"; + description = "Default domain realm."; + }; + kdc = mkOption { default = "kerberos.mit.edu"; description = "Kerberos Domain Controller"; @@ -49,6 +52,7 @@ mkIf config.krb5.enable { '' [libdefaults] default_realm = ${cfg.defaultRealm} + encrypt = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf @@ -84,6 +88,7 @@ mkIf config.krb5.enable { ${cfg.defaultRealm} = { kdc = ${cfg.kdc} admin_server = ${cfg.kerberosAdminServer} +# kpasswd_server = ${cfg.kerberosAdminServer} } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 @@ -162,6 +167,8 @@ mkIf config.krb5.enable { } [domain_realm] + .${cfg.domainRealm} = ${cfg.defaultRealm} + ${cfg.domainRealm} = ${cfg.defaultRealm} .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU @@ -172,10 +179,23 @@ mkIf config.krb5.enable { whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu -[login] +[logging] + kdc = SYSLOG:INFO:DAEMON + admin_server = SYSLOG:INFO:DAEMON + default = SYSLOG:INFO:DAEMON krb4_convert = true krb4_get_tickets = false - + + +[appdefaults] + pam = { + debug = false + ticket_lifetime = 36000 + renew_lifetime = 36000 + max_timeout = 30 + timeout_shift = 2 + initial_timeout = 1 + } ''; target = "krb5.conf"; } diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 20868140cfa..5c59282fe8a 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -7,7 +7,7 @@ with pkgs.lib; let - inherit (pkgs) pam_usb pam_ldap; + inherit (pkgs) pam_usb pam_ldap pam_krb5 pam_ccreds; otherService = pkgs.writeText "other.pam" '' @@ -63,6 +63,8 @@ let # Account management. ${optionalString config.users.ldap.enable "account optional ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.krb5.enable + "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} account required pam_unix.so # Authentication management. @@ -74,11 +76,18 @@ let "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"} auth sufficient pam_unix.so ${ optionalString allowNullPassword "nullok"} + ${optionalString config.krb5.enable +''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass +auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass +auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass + ''} auth required pam_deny.so # Password management. ${optionalString config.users.ldap.enable "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.krb5.enable + "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} password requisite pam_unix.so nullok sha512 ${optionalString config.services.samba.syncPasswordsByPam "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"} @@ -86,6 +95,8 @@ let # Session management. ${optionalString config.users.ldap.enable "session optional ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.krb5.enable + "session optional ${pam_krb5}/lib/security/pam_krb5.so"} session required pam_unix.so ${optionalString ownDevices "session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"} @@ -184,7 +195,8 @@ in environment.systemPackages = # Include the PAM modules in the system path mostly for the manpages. [ pkgs.pam ] - ++ optional config.users.ldap.enable pam_ldap; + ++ optional config.users.ldap.enable pam_ldap + ++ optional config.krb5.enable [pam_krb5 pam_ccreds]; environment.etc = map makePAMService config.security.pam.services